Background
Currently content update is done by the user who created it which creates problem and is complex in scenarios where an admin want to update content by retired user. There should be an easy way to allow users to update content at the same time it should have authentication.
Problem Statement 1
What is the approach to generate the key?
Solution 1
Create JWT token with data passed upon. A JWT token will be created using secret key and below data
...
Custom generated time based key.
Solution 3
Using keycloak to generate an verify token to be used as masterkey.
Pros and Cons
| Key Generation Approach | Pros | Cons |
|---|---|---|
| JWT | no need to store the key in DB | |
| Custom | method is available so negligible time consuming | key needs to be stored in db |
| Keycloak | comparatively faster to implement | no support for channel or organisation based key key would expire based on keycloak configuration |
Problem Statement 2
What are the APIs required to manage master keys?
API Specifications
Create API
name and channel / organisationId is mandatory.
URL:
POST /v1/auth/masterkey/create
Headers:
- Authorization
- x-authenticated-user-token
Request Params:
Response Params:
Errors:
Sample Request and Response:
Verify API
Delete API
Problem Statement 3
What is the DB design for storing information about master keys?
Table Structure
...
approach 1 :
There should be a way to allow certain operations and for that we need to maintain master keys. These master keys would be created and stored through API by admin and would be used by anyone to bypass the current authentication mechanism.
There should be APIs to create, delete and verify the master key.
create API
Used to create a key with parameters channel, name and orgId.
...
| nopanel | true |
|---|
...
| param name | type | description |
|---|---|---|
| channel | String | channel for which master key is applicable for, if not provided can be calculated from organisationId |
| name | String | consumer name |
| organisationId | String | organisationId for which master key is applicable for, if not provided can be calculated from channel |
Response Params:
| param name | type | description |
|---|---|---|
| key | String | generated master key, mapped with the requested channel/organisationId and name |
Errors:
| status code | error code | error message |
|---|---|---|
| 400 | INVALID_ORG_DATA | Given Organization Data doesn't exist in our records. Please provide a valid one. |
| 400 | MANDATORY_PARAMETER_MISSING | Mandatory parameter {channel/organisationId, name} is missing. |
| 400 | PARAMETER_MISMATCH | Mismatch of given parameters: channel, organisationId. |
| 400 | KEY_EXISTS | Key exists for given channel {} and consumer {} |
Sample Request and Response:
| No Format | ||
|---|---|---|
| ||
Request { request : { "channel" : "sunbird", // channel name for which master key is generated "name" : "DikshaImplTeam", // consumer name who will use the key "orgId" : "01262366359399628812" // optional orgId to make the key org specific, default value is rootOrgId of channel } } Response body : (Success) 200 { "id": "api.auth.masterkey.create", "ver": "v1", "ts": "2019-01-29 09:17:31:909+0000", "params": { "resmsgid": null, "msgid": "9db786d3-45c2-447d-b657-f9768da15652", "err": null, "status": "success", "errmsg": null }, "responseCode": "OK", "result": { "key" : "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjaGFubmVsIjoic3VuYmlyZCIsIm5hbWUiOiJEaWtzaGFJ bXBsVGVhbSIsImNyZWF0ZWRCeSI6MTUxNjIzOTAyMiwiY3JlYXRlZE9uIjoxNTE2MjM5MDIyLCJleHBpcmVzT24iOjE1MTYyNDkwMjIsIm9yZ0lkIjoiMjM0NTY1NDU2In0.Cs5-FW7OHip6njkQvMP6zpIVB5Q-xLLgz_jnYW3zPOw" } } Response body : (Error) 400 { "id": "api.masterkey.create", "ver": "v1", "ts": "2018-01-29 11:12:31:853+0000", "params": { "resmsgid": null, "msgid": "8e27cbf5-e299-43b0-bca7-8347f7e5abcf", "err": "KEY_EXISTS", "status": "KEY_EXISTS", "errmsg": "Key exists for given channel sunbird and consumer DikshaImplTeam" }, "responseCode": "CLIENT_ERROR", "result": { } } |
Table Structure
...
Verify API
URL:
POST /v1/auth/masterkey/verify
Headers:
- Authorization
Request Params:
| param name | type | description |
|---|---|---|
| key | String | master key to verify |
Response Params:
| param name | type | description |
|---|---|---|
| channel | String | channel name related to master key |
| name | String | consumer name |
| description | String | describes the purpose for master key |
| organisationId | String | organisation Id mapped with key |
| createdBy | String | userId of the person who created the key |
| createdOn | timestamp | timestamp when master key was created |
Errors:
| status code | error code | error message |
|---|---|---|
| 400 | INVALID_ |
| KEY | Given master key is invalid | |
| 400 | MANDATORY_PARAMETER_MISSING | Mandatory parameter |
| key is missing. |
get API
Sample Request and Response:
| No Format | ||
|---|---|---|
| ||
POST /v1/masterkey/get Request body : { request : { "channelkey" : "sunbird", "consumer" : "DikshaImplTeam"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjaGFubmVsIjoic3VuYmlyZCIsIm5hbWUiOiJEaWtzaGFJ bXBsVGVhbSIsImNyZWF0ZWRCeSI6MTUxNjIzOTAyMiwiY3JlYXRlZE9uIjoxNTE2MjM5MDIyLCJleHBpcmVzT24iOjE1MTYyNDkwMjIsIm9yZ0lkIjoiMjM0NTY1NDU2In0.Cs5-FW7OHip6njkQvMP6zpIVB5Q-xLLgz_jnYW3zPOw" } } Response body : (Success) 200 { "id": "api.auth.masterkey.verify", "verresult": "v1",{ "tschannel": "2019-01-29 09:17:31:909+0000sunbird", "paramsname": { "resmsgid": null, "msgid"DikshaImplTeam", "description": "9db786d3-45c2-447d-b657-f9768da15652", "err": null, "statusorganisation content" "organisationId": "success01262366359399628812", "errmsgcreatedBy": null }, "responseCode": "OK", "result": {"00dd6646-be73-4fb0-b676-ccd01bda085e", "keycreatedOn" :1548932815386, "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjaGFubmVsIjoic3VuYmlyZCIsIm5hbWUiOiJEaWtzaGFJ bXBsVGVhbSIsImNyZWF0ZWRCeSI6MTUxNjIzOTAyMiwiY3JlYXRlZE9uIjoxNTE2MjM5MDIyLCJleHBpcmVzT24iOjE1MTYyNDkwMjIsIm9yZ0lkIjoiMjM0NTY1NDU2In0.Cs5-FW7OHip6njkQvMP6zpIVB5Q-xLLgz_jnYW3zPOw" } } Response body : (Error) 404 { "id": "api.masterkey", "ver": "v1", "ts": "2018-01-29 11:12:31:853+0000", "params": { "resmsgid": null, "msgid": "8e27cbf5-e299-43b0-bca7-8347f7e5abcf", "err": "KEY_NOT_EXISTS", "status": "KEY_NOT_EXISTS", "errmsg": "Key does not exists for given channel sunbird" }, "responseCode": "RESOURCE_NOT_FOUND", "result": { } } |
...
Delete API
URL:
POST /v1/auth/masterkey/delete
Headers:
- Authorization
- x-authenticated-user-token
Request Params:
| param name | type | description |
|---|---|---|
| channel | String | channel for which master key needs to be deleted |
| name | String | consumer name |
| organisationId | String | organisationId for which master key needs to be deleted |
Response Params:
None
Errors:
| status code | error code | error message |
|---|---|---|
| 400 | MANDATORY_PARAMETER_MISSING | Mandatory parameter {channel/organisationId, name} is missing. |
| 400 | KEY_NOT_EXISTS | Key does not exists for given channel {} and consumer {} |
Sample Request and Response:
| No Format | ||
|---|---|---|
| ||
POST /v1/masterkey/verify Request body : { request : { "keychannel" : "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjaGFubmVsIjoic3VuYmlyZCIsIm5hbWUiOiJEaWtzaGFJ bXBsVGVhbSIsImNyZWF0ZWRCeSI6MTUxNjIzOTAyMiwiY3JlYXRlZE9uIjoxNTE2MjM5MDIyLCJleHBpcmVzT24iOjE1MTYyNDkwMjIsIm9yZ0lkIjoiMjM0NTY1NDU2In0.Cs5-FW7OHip6njkQvMP6zpIVB5Q-xLLgz_jnYW3zPOw" } } Response body : (Success) 200 { "id": "api.masterkey.verify", "ver": "v1", "ts": "2019-01-29 09:17:31:909+0000", "params": { "resmsgid": null, "msgid": "9db786d3-45c2-447d-b657-f9768da15652", "err": null, "status": "success", "errmsg": null }, "responseCode": "OK", "result": { "channel": "sunbird", "consumer"sunbird", "name" : "DikshaImplTeam", "createdBy": "00dd6646-be73-4fb0-b676-ccd01bda085e", "createdOn":1516239022, "expiresOn":1516249025, "orgId"orgId" : "01262366359399628812" } } Response body : (Error) 400 { "id": "api.auth.masterkey.create", "ver": "v1delete", "ts": "2018-01-29 11:12:31:853+0000", "params": { "resmsgid": null, "msgid": "8e27cbf5-e299-43b0-bca7-8347f7e5abcf", "err": "INVALID_KEY", "status": "INVALID_KEY", "errmsg": "Provided key for channel sunbird is invalid" }, "responseCode": "CLIENT_ERROROK", "result": { } } |
Problem Statement 3
What is the DB design for storing information about master keys?
approach
...
custom generated key and storing it in DB
The API structure remain same, however the custom generated key is store in DB, It also needs to be indexed.
able Structure
1:
JWT token Table Structure
| column | type | description |
|---|---|---|
| channel* | text | consist user provide channel name |
| name* | text | provided by user |
| organisationId | text | provided by user or root org id mapped with channel |
| createdBy | text | user id who created the master key |
| createdOn | timestamp | created time |
approach 2:
custom generated key
| column | type | description |
|---|---|---|
| channel* | text | consist user provide channel name |
| consumername* | text | provided by user |
| orgIdorganisationId | text | provided by user or root org id mapped with channel |
| key | text | holds custom generated key |
| createdbycreatedBy | text | user id who created the master key |
| createdoncreatedOn | timestamp | created time |
| expireson | timestamp | when the token will be expired |
| lastUpdatedBy | text | user who updated the token |
| lastupdatedOn | timestamp | time when token was updated |
approach 3:
Using keycloak to generate an verify token to be used as masterkey.
This approach has below drawbacks
- This cannot be based on channel and consumer
- the expiry time is fixed in keycloak
...
Problem Statement 4
How to use generated master key to bypass existing user authentication?
approach 1:
- master key will be passed in X-authenticated-user-token
- use an extra header (X-authentication-type) declaring the type of authentication as master( for master key and user for user authentication).
approach 2:
- extra header (X-authentication-master-key) to pass master key.
- If above header is present it supersedes the user authentication
Pros and Cons
| Key Usage Approach | Pros | Cons |
|---|---|---|
| X-authentication-type | In future it can support additional authentication types |